From 81faed9c8c03fa5b385960a2fc7034bda3d07be3 Mon Sep 17 00:00:00 2001
From: "Enrico Weigelt, metux IT consult" <info@metux.net>
Date: Wed, 19 Mar 2025 10:50:56 +0100
Subject: [PATCH] Xnamespace: filter raw mouse motion and keyboard access

Only namespaces with allowMouseOption flag enabled can receive
raw mouse motion events. Raw key press events are always blocked.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
---
 Xext/namespace/config.c       |  1 +
 Xext/namespace/hook-receive.c | 75 +++++++++++++++++++++++++++++++++++
 Xext/namespace/hooks.h        |  1 +
 Xext/namespace/meson.build    |  1 +
 Xext/namespace/namespace.c    |  4 +-
 Xext/namespace/namespace.h    |  1 +
 6 files changed, 82 insertions(+), 1 deletion(-)
 create mode 100644 Xext/namespace/hook-receive.c

diff --git a/Xext/namespace/config.c b/Xext/namespace/config.c
index 424b9c1f1..a62952cb2 100644
--- a/Xext/namespace/config.c
+++ b/Xext/namespace/config.c
@@ -6,6 +6,7 @@
 #include "namespace.h"
 
 struct Xnamespace ns_root = {
+    .allowMouseMotion = TRUE,
     .builtin = TRUE,
     .name = NS_NAME_ROOT,
     .refcnt = 1,
diff --git a/Xext/namespace/hook-receive.c b/Xext/namespace/hook-receive.c
new file mode 100644
index 000000000..fb5d36729
--- /dev/null
+++ b/Xext/namespace/hook-receive.c
@@ -0,0 +1,75 @@
+#define HOOK_NAME "recieve"
+
+#include <dix-config.h>
+
+#include <X11/Xmd.h>
+
+#include "dix/extension_priv.h"
+#include "dix/registry_priv.h"
+#include "dix/resource_priv.h"
+#include "Xext/xacestr.h"
+#include "Xi/exglobals.h"
+
+#include "namespace.h"
+#include "hooks.h"
+
+static inline Bool isRootWin(WindowPtr pWin) {
+    return (pWin->parent == NullWindow && dixClientForWindow(pWin) == serverClient);
+}
+
+void
+hookReceive(CallbackListPtr *pcbl, void *unused, void *calldata)
+{
+    XNS_HOOK_HEAD(XaceReceiveAccessRec);
+    struct XnamespaceClientPriv *obj = XnsClientPriv(dixClientForWindow(param->pWin));
+
+    // send and receive within same namespace permitted without restrictions
+    if (XnsClientSameNS(subj, obj))
+        goto pass;
+
+    for (int i=0; i<param->count; i++) {
+        const int type = param->events[i].u.u.type;
+        switch (type) {
+            case GenericEvent: {
+                xGenericEvent *gev = (xGenericEvent*)&param->events[i].u;
+                if (gev->extension == EXTENSION_MAJOR_XINPUT) {
+                    switch (gev->evtype) {
+                        case XI_RawMotion:
+                            if ((!subj->ns->allowMouseMotion) || !isRootWin(param->pWin))
+                                goto reject;
+                            continue;
+                        case XI_RawKeyPress:
+                        case XI_RawKeyRelease:
+                            goto reject;
+                        default:
+                            XNS_HOOK_LOG("XI unknown %d\n", gev->evtype);
+                            goto reject;
+                    }
+                }
+                XNS_HOOK_LOG("BLOCKED #%d generic event extension=%d\n", i, gev->extension);
+                goto reject;
+            }
+            break;
+
+            default:
+                XNS_HOOK_LOG("BLOCKED event type #%d 0%0x 0%0x %s %s%s\n", i, type, param->events[i].u.u.detail,
+                    LookupEventName(type), (type & 128) ? "fake" : "",
+                    isRootWin(param->pWin) ? " (root window)" : "");
+                goto reject;
+            break;
+        }
+    }
+
+pass:
+    return;
+
+reject:
+    param->status = BadAccess;
+    XNS_HOOK_LOG("BLOCKED client %d [NS %s] receiving event sent to window 0x%lx of client %d [NS %s]\n",
+        client->index,
+        subj->ns->name,
+        (unsigned long)param->pWin->drawable.id,
+        dixClientForWindow(param->pWin)->index,
+        obj->ns->name);
+    return;
+}
diff --git a/Xext/namespace/hooks.h b/Xext/namespace/hooks.h
index a2327156f..956ad3dba 100644
--- a/Xext/namespace/hooks.h
+++ b/Xext/namespace/hooks.h
@@ -26,6 +26,7 @@
 
 void hookClientState(CallbackListPtr *pcbl, void *unused, void *calldata);
 void hookInitRootWindow(CallbackListPtr *pcbl, void *unused, void *calldata);
+void hookReceive(CallbackListPtr *pcbl, void *unused, void *calldata);
 void hookSelectionFilter(CallbackListPtr *pcbl, void *unused, void *calldata);
 void hookWindowProperty(CallbackListPtr *pcbl, void *unused, void *calldata);
 
diff --git a/Xext/namespace/meson.build b/Xext/namespace/meson.build
index 4b6365003..92a1c1d6a 100644
--- a/Xext/namespace/meson.build
+++ b/Xext/namespace/meson.build
@@ -4,6 +4,7 @@ libxserver_namespace = static_library(
 		'config.c',
 		'hook-clientstate.c',
 		'hook-init-rootwindow.c',
+		'hook-receive.c',
 		'hook-selection.c',
 		'hook-windowproperty.c',
 		'namespace.c',
diff --git a/Xext/namespace/namespace.c b/Xext/namespace/namespace.c
index 27b5f69b0..0e8214581 100644
--- a/Xext/namespace/namespace.c
+++ b/Xext/namespace/namespace.c
@@ -8,6 +8,7 @@
 #include "dix/selection_priv.h"
 #include "include/os.h"
 #include "miext/extinit_priv.h"
+#include "Xext/xacestr.h"
 
 #include "namespace.h"
 #include "hooks.h"
@@ -32,7 +33,8 @@ NamespaceExtensionInit(void)
           AddCallback(&ClientStateCallback, hookClientState, NULL) &&
           AddCallback(&PostInitRootWindowCallback, hookInitRootWindow, NULL) &&
           AddCallback(&PropertyFilterCallback, hookWindowProperty, NULL) &&
-          AddCallback(&SelectionFilterCallback, hookSelectionFilter, NULL)))
+          AddCallback(&SelectionFilterCallback, hookSelectionFilter, NULL) &&
+          XaceRegisterCallback(XACE_RECEIVE_ACCESS, hookReceive, NULL)))
         FatalError("NamespaceExtensionInit: allocation failure\n");
 
     /* Do the serverClient */
diff --git a/Xext/namespace/namespace.h b/Xext/namespace/namespace.h
index 5bf9ba7f8..fed2565b7 100644
--- a/Xext/namespace/namespace.h
+++ b/Xext/namespace/namespace.h
@@ -14,6 +14,7 @@ struct Xnamespace {
     struct xorg_list entry;
     const char *name;
     Bool builtin;
+    Bool allowMouseMotion;
     Bool superPower;
     const char *authProto;
     char *authTokenData;